#BackToBasics – What is a DrDOS Attack?

2 May 2013 by Alice Cullen

Hacking techniques evolve rapidly so keeping your finger on the pulse is essential for protecting your website. The latest development is the Distributed Reflection Denial of Service attack (DrDoS); the stronger, uglier version of a DDos.

A DDoS attack, as we know, happens when a group of computers generates a huge amount of traffic to floods a website with traffic, overwhelming the server so that it crashes, meaning that legitimate traffic cannot reach the site.

A botnet is the name for the collection of computers that have been affected by a virus or malware for this purpose. Control over these botnet computers is taken over by the person who has installed the virus (or malware), known as a botnet herder. Often, the botnet herder will rent out access to their botnets to people wanting to inflict a DDoS attack on an intended victim or victims. Attacks like these can put a huge strain on networks because of the massive surge in bandwidth usage. They have even been known to take down whole networks and slow down the whole internet.

So, how does a DrDoS attack differ?

To launch an attack on a gigantic scale means renting a “beast” of a botnet, which could be very costly, and using all of a botnet’s resources for a DDoS attack increases the likelihood of Internet Service Providers (ISPs) discovering the method of attack and mitigating them.

To deliver a larger sized attack, hackers have started looking for ways to amplify their attacks so that they need fewer originating attack machines to cause a large amount of chaos. This is where the ‘reflection’ element comes in.

Hackers use a smaller group of infected computers to send multiple requests that elicit large responses, to a number of reflection servers. These reflection servers function almost like a middle man, sorting out and re-directing queries, a bit like a sorting office. The request (or ‘packet’) is crafted by the hackers so that is has the IP address of the machine they wish to target. This way, it appears as if the target machine has asked the question. All responses, therefore, will route straight back to the oblivious target machine overwhelming it both with the incoming traffic as well as the volume of large responses.

This is a much more efficient way of causing DoS. Why? Because you need fewer attack machines to cause even more damage. Imagine, for example, that an attack server passed three specially crafted requests to five reflection servers. This would cause 15 requests hitting the target which would then send 15 responses back that are each large in size.. Likewise, if you had 5 attack servers passing three specially crafted requests to ten reflection servers then you would cause 300 responses! The amount of traffic when scaled up can be crippling to a website or network.

DrDoS attacks are on the increase as hackers have realised that it’s a more effective way to increase the volume of an attack. The good news is that, as attacks develop and become more sophisticated, so does technology.